| 關 鍵 詞: |
歐盟;個人資料;資料保護指令;一般資料保護規則;域外效力;設立機構;商品服務提供行為;監測行為;鎖定 |
| 中文摘要: |
為強化對於歐盟境內資料當事人的保護,一九九五年資料保護指令及現行的一般資料保護規則(GDPR)均設置了域外效力條款,使其適用範疇並不以歐盟所轄地域為限。指令第 4 條規定的設立機構及設備使用兩款適用情形,凸顯歐盟擬透過域外效力條款因應個人資料數位化及全球流通趨勢。面對急劇變化的網路應用環境,GDPR 持續採納域外效力設計,第 3 條除原已存在的設立機構,新增兩款過去未見的適用情形:1. 鎖定歐盟境內資料當事人提供商品或服務;及2. 針對歐盟境內資料當事人的行為進行監測,儘管嘗試解決固有問題,新制仍面臨適用上之爭議。本文分析歐盟歷來法制規範、官方指引及重要實務案例,具體指出歐盟個人資料保護立法域外效力規定存在的問題點,同時進行國內立法之對照觀察並提出適用建言。
|
| 英文關鍵詞: |
European Union;Personal Data;Data Protection Directive;General Data Protection Regulation (GDPR);Extraterritorial Effect;Establishment;Offering of Goods or Services;Monitoring;Targeting |
| 英文摘要: |
Currently there has been an unprecedented number of data privacy laws being enacted or revised around the world with most of them being affected by the European Union’s data protection regulations. The EU has had regulations pertaining to data protection since 1995, and the newest legislation, the General Data Protection Regulation (GDPR), went into effect on May 25, 2018. The GDPR not only applies to data processing activities conducted by organizations established in the EU but also extends to its territorial reach with two types of business activities: offering of goods or services to data subjects situated in the EU and monitoring of the behaviour of such data subjects. Given the extensive obligations and stiff penalties imposed by the GDPR, global organizations have been rightly focused on how their own data processing activities may fit within the scope of extraterritorial effect of GDPR. But to date, there has been a degree of uncertainty for organizations regarding the scope of the GDPR’s application outside of the EU. Although Article 3 of the GDPR represents a significant expansion of the territorial reach of an EU Regulation, a global approach to the protection of individuals’ rights is still necessary - especially in the case of the online world, as it does not respect physical or geographical boundaries and thus often gives rise to the question of which law is applicable in the case of online activities. As regulatory changes can prove to be both an opportunity and a challenge, this article aims to examine the extraterritoriality of prior and current EU data privacy law, discuss the key concepts of the provision for applicability of EU data protection laws to non-EU data controller or processor, point out the differences and related questions about the application of extraterritorial effect provisions between Directive and GDPR, and - finally - provide suggestions toward domestic legislation.
|
| 目 次: |
壹、前言
貳、歐盟一九九五年資料保護指令下的域外效力規定
一、95 年指令第 4 條規定之設計
二、適用情形一:在成員國內存在設立機構暨關聯性
(一)歐盟 WP 29 工作小組第 8/2010 號意見書
(二)歐盟法院 Google Spain 案判決提出之見解
(三)歐盟 WP 29 工作小組第 8/2010 號意見書之更新
三、適用情形二:使用座落於歐盟成員國境內的設備
四、學者提出的批評意見
(一)關於設立機構暨關聯性
(二)關於歐盟成員國境內設備之使用
五、小結
參、歐盟二○一八年一般資料保護規則下的域外效力規定
一、GDPR 下的域外效力設計
(一)95 年指令至 GDPR 之發展
(二)第 3 條規定具體內容
二、於歐盟境內存在設立機構
(一)GDPR 仍未明訂判斷標準
(二)歐盟 EDPB 提出之判斷建議
三、對歐盟境內資料當事人銷售商品或提供服務
(一)位處歐盟境內的資料當事人
(二)提供商品或服務予歐盟境內的資料當事人
四、針對歐盟境內資料當事人進行監測
(一)位處歐盟境內的資料當事人
(二)監測行為的具體認定
五、GDPR 域外效力規定適用問題及發展趨勢觀察
(一)相關條款仍難脫適用標準模糊不清之譏
(二)借鏡管轄權判斷測試方法確認「鎖定」概念之可能
六、國內立法之對照觀察與建議
肆、結語
|
| 相關法條: |
 |
| 相關判解: |
|
| 相關函釋: |
|
| 相關論著: |
|